NoPaste

IPTables

von _alex_

SNIPPET_TEXT:
  1. #!/bin/bash
  2. # ---------------------------------------------------------------------
  3. # Linux-iptables-Firewallskript, Copyright (c) 2006 under the GPL
  4. # Autogenerated by iptables Generator v1.22 (c) 2002-2006 by Harald Bertram|
  5. # Please visit http://harry.homelinux.org for new versions of
  6. # the iptables Generator (c).
  7. #
  8. # This Script was generated by request from:
  9. # Alex_Heinrich@web.de on: 2006-9-11 8:40.56 MET.
  10. #
  11. # If you have questions about the iptables Generator or about
  12. # your Firewall-Skript feel free to take a look at out website or
  13. # send me an E-Mail to webmaster@harry.homelinux.org.
  14. #
  15. # My special thanks are going to Lutz Heinrich (trinitywork at hotmail dot com)
  16. # who made lots of Beta-Testing and gave me lots of well qualified
  17. # Feedback that made me able to improve the iptables Generator.
  18. # --------------------------------------------------------------------
  19.  
  20. case "$1" in
  21.   start)
  22.     echo "Starte IP-Paketfilter"
  23.  
  24.     # iptables-Modul
  25.     modprobe ip_tables
  26.     # Connection-Tracking-Module
  27.     modprobe ip_conntrack
  28.     # Das Modul ip_conntrack_irc ist erst bei Kerneln >= 2.4.19 verfuegbar
  29.     modprobe ip_conntrack_irc
  30.     modprobe ip_conntrack_ftp
  31.  
  32.     # Tabelle flushen
  33.     iptables -F
  34.     iptables -t nat -F
  35.     iptables -t mangle -F
  36.     iptables -X
  37.     iptables -t nat -X
  38.     iptables -t mangle -X
  39.  
  40.     # Default-Policies setzen
  41.     iptables -P INPUT DROP
  42.     iptables -P OUTPUT DROP
  43.     iptables -P FORWARD DROP
  44.  
  45.     # MY_REJECT-Chain
  46.     iptables -N MY_REJECT
  47.  
  48.     # MY_REJECT fuellen
  49.     iptables -A MY_REJECT -p tcp -m limit --limit 7200/h -j LOG --log-prefix "REJECT TCP "
  50.     iptables -A MY_REJECT -p tcp -j REJECT --reject-with tcp-reset
  51.     iptables -A MY_REJECT -p udp -m limit --limit 7200/h -j LOG --log-prefix "REJECT UDP "
  52.     iptables -A MY_REJECT -p udp -j REJECT --reject-with icmp-port-unreachable
  53.     iptables -A MY_REJECT -p icmp -m limit --limit 7200/h -j LOG --log-prefix "DROP ICMP "
  54.     iptables -A MY_REJECT -p icmp -j DROP
  55.     iptables -A MY_REJECT -m limit --limit 7200/h -j LOG --log-prefix "REJECT OTHER "
  56.     iptables -A MY_REJECT -j REJECT --reject-with icmp-proto-unreachable
  57.  
  58.     # MY_DROP-Chain
  59.     iptables -N MY_DROP
  60.     iptables -A MY_DROP -m limit --limit 7200/h -j LOG --log-prefix "PORTSCAN DROP "
  61.     iptables -A MY_DROP -j DROP
  62.  
  63.     # Alle verworfenen Pakete protokollieren
  64.     iptables -A INPUT -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "INPUT INVALID "
  65.     iptables -A OUTPUT -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "OUTPUT INVALID "
  66.     iptables -A FORWARD -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "FORWARD INVALID "
  67.  
  68.     # Korrupte Pakete zurueckweisen
  69.     iptables -A INPUT -m state --state INVALID -j DROP
  70.     iptables -A OUTPUT -m state --state INVALID -j DROP
  71.     iptables -A FORWARD -m state --state INVALID -j DROP
  72.  
  73.     # Stealth Scans etc. DROPpen
  74.     # Keine Flags gesetzt
  75.     iptables -A INPUT -p tcp --tcp-flags ALL NONE -j MY_DROP
  76.     iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j MY_DROP
  77.  
  78.     # SYN und FIN gesetzt
  79.     iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP
  80.     iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP
  81.  
  82.     # SYN und RST gleichzeitig gesetzt
  83.     iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP
  84.     iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP
  85.  
  86.     # FIN und RST gleichzeitig gesetzt
  87.     iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP
  88.     iptables -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP
  89.  
  90.     # FIN ohne ACK
  91.     iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP
  92.     iptables -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP
  93.  
  94.     # PSH ohne ACK
  95.     iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP
  96.     iptables -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP
  97.  
  98.     # URG ohne ACK
  99.     iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j MY_DROP
  100.     iptables -A FORWARD -p tcp --tcp-flags ACK,URG URG -j MY_DROP
  101.  
  102.     # Loopback-Netzwerk-Kommunikation zulassen
  103.     iptables -A INPUT -i lo -j ACCEPT
  104.     iptables -A OUTPUT -o lo -j ACCEPT
  105.  
  106.     # Maximum Segment Size (MSS) f

Quellcode

Hier kannst du den Code kopieren und ihn in deinen bevorzugten Editor einfügen. PASTEBIN_DOWNLOAD_SNIPPET_EXPLAIN